What is the District firewall policy and how does it apply to agencies connected to the DC Wide Area Network (DCWAN)?
Each agency must provide a business justification to OCTO District Information Security Program (DCISP) and the Change Control Board (CCB) as to the purpose of an internal firewall at the DCWAN connection. If approved, a Memorandum of Understanding (MOU) will be generated to document the following process: the DCISP will assist the agency in specifying the firewall, the agency will procure the firewall, and the DCISP and OCTO will assist the agency in installing the required device. The DCISP will manage the firewall in accordance with OCTO and DCISP firewall policies, standards, and procedures.
What is the OCTO standard for encryption (is it OK to use PGP technology)?
Encryption is a technical security mechanism that can be employed when transmitting data over an open communications network. OCTO is developing an encryption standard to specify appropriately secure algorithms and define acceptable uses for encryption. This standard will be in accordance with federal encryption standards such as the Advanced Encryption Standard (AES) and NIST document SP 800-21, Guideline for Implementing Cryptography in the Federal Government. OCTO is also developing a Public Key Infrastructure (PKI) to address agency needs for encryption, digital signature, and secure remote access. PGP has been regarded as the most widely recognized and used encryption software in the IT industry, however the use of PGP for new encryption applications is now a significant risk. Although PGP is retained and continues to be the encryption engine within some commercial product lines, many PGP products are being put into maintenance mode that results in limited technical support availability and the end of the product life cycle.
What is Public Key Infrastructure (PKI)?
Public Key Infrastructure is a framework that defines authentication, data and message integrity, and non-repudiation processes through the use of shared public keys.
Does agency management reserve the right to access data stored on individual desktops during employee absences?
Yes, under the conditions of procedures documented for that agency or office.
What are the names of security solutions packages for laptop users?
Laptop security starts with hardening the operating system, the use of New Technology File Sharing (NTFS), setting strong BIOS passwords, disabling the guest account, and enabling File System (EFS) to provide a strong level of security if the system is hacked or stolen. Commercially available laptop security includes physical security devices, tracking software, and stronger algorithms. Additionally, OCTO Information Security is available to assist in security product evaluations and selection.
Do CIOs have the ability to defeat enforced security controls?
Their ability to defeat security controls depends on administrative privilege.
Is it possible to get a list of the IT duties and responsibilities assigned to OCTO (e.g. Virtual Private Networks (VPN), Exchange, etc)?
Yes. Please visit the OCTO programs section.
Is a theft recovery software standard being considered for laptops (e.g. computrace)?
Not at this time, however District Information Security personnel are available to participate in evaluation of products agencies may be considering.
Will information security policy affect contractors who bring in their own PCs and software?
OCTO is currently evaluating contractual clauses that stipulate that contractors must comply with all applicable OCTO and DCISP policies and standards PRIOR to having access granted to DCWAN and agency IT resources.
What encryption is available for wireless devices (e.g. handhelds)?
Blackberry and GoodLink messages have encryption already applied to them when used with the Citywide Messaging system.